DESCRIPTION

Ipsec
invokes any of several utilities involved in controlling the IPsec
encryption/authentication system,
running the specified
command
with the specified
arguments
as if it had been invoked directly.
This largely eliminates possible name collisions with other software,
and also permits some centralized services.

The commands
start,
update,
reload,
restart,
and
stop
are built-in and are used to control the
ipsec starter
utility, an extremely fast replacement for the traditional
ipsecsetup
script.

The commands
up,down,route,unroute,status,statusall,listalgs,listpubkeys,listcerts,listcacerts,listaacerts,listocspcerts,listacerts,listgroups,listcainfos,listcrls,listocsp,listcards,listall,rereadsecrets,rereadgroups,rereadcacerts,rereadaacerts,rereadocspcerts,rereadacerts,rereadcrls,
and
rereadall
are also built-in and completely replace the corresponding
ipsec auto
--operation"
commands. Communication with the pluto daemon happens via the
ipsec whack
socket interface.

In particular,
ipsec
supplies the invoked
command
with a suitable PATH environment variable,
and also provides IPSEC_DIR,
IPSEC_CONFS, and IPSEC_VERSION environment variables,
containing respectively
the full pathname of the directory where the IPsec utilities are stored,
the full pathname of the directory where the configuration files live,
and the IPsec version number.

ipsec start
calls
ipsec starter
which in turn starts pluto.

ipsec update
sends a HUP signal to
ipsec starter
which in turn determines any changes in ipsec.conf
and updates the configuration on the running pluto daemon, correspondingly.

ipsec reload
sends a USR1 signal to
ipsec starter
which in turn reloads the whole configuration on the running pluto daemon
based on the actual ipsec.conf.

ipsec restart
executes
ipsec stop
followed by
ipsec start.

ipsec stop
stops ipsec by sending a TERM signal to
ipsec starter.

ipsec upname tells the pluto daemon to start up connection name.

ipsec downname tells the pluto daemon to take down connection name.

ipsec routename tells the pluto daemon to install a route for connection
name.

ipsec unroutename tells the pluto daemon to take down the route for connection
name.

ipsec status
[ name ] gives concise status information either on connection
name or if the name argument is lacking, on all connections.

ipsec statusall
[ name ] gives detailed status information either on connection
name or if the name argument is lacking, on all connections.

ipsec listalgs
returns a list all supported IKE encryption and hash algorithms, the available
Diffie-Hellman groups, as well as all supported ESP encryption and authentication
algorithms.

ipsec listpubkeys
returns a list of RSA public keys that were either loaded in raw key format
or extracted from X.509 and|or OpenPGP certificates.

ipsec listcerts
returns a list of X.509 and|or OpenPGP certificates that were loaded locally
by the pluto daemon.

ipsec listcacerts
returns a list of X.509 Certification Authority (CA) certificates that were
loaded locally by the pluto daemon from the /etc/ipsec/ipsec.d/cacerts/
directory or received in PKCS#7-wrapped certificate payloads via the IKE
protocol.

ipsec listaacerts
returns a list of X.509 Authorization Authority (AA) certificates that were
loaded locally by the pluto daemon from the /etc/ipsec/ipsec.d/aacerts/
directory.

ipsec listocspcerts
returns a list of X.509 OCSP Signer certificates that were either loaded
locally by the pluto daemon from the /etc/ipsec/ipsec.d/ocspcerts/
directory or were sent by an OCSP server.

ipsec listacerts
returns a list of X.509 Attribute certificates that were loaded locally by
the pluto daemon from the /etc/ipsec/ipsec.d/acerts/ directory.

ipsec listgroups
returns a list of groups that are used to define user authorization profiles.

ipsec listcards
returns a list of certificates residing on smartcards.

ipsec listall
returns all information generated by the list commands above. Each list command
can be called with the
--url
option which displays all dates in UTC instead of local time.

ipsec rereadsecrets
flushes and rereads all secrets defined in ipsec.conf.

ipsec rereadcacerts
reads all certificate files contained in the /etc/ipsec/ipsec.d/cacerts
directory and adds them to pluto's list of Certification Authority (CA) certificates.

ipsec rereadaacerts
reads all certificate files contained in the /etc/ipsec/ipsec.d/aacerts
directory and adds them to pluto's list of Authorization Authority (AA) certificates.

ipsec rereadocspcerts
reads all certificate files contained in the /etc/ipsec/ipsec.d/ocspcerts/
directory and adds them to pluto's list of OCSP signer certificates.

ipsec rereadacerts
operation reads all certificate files contained in the /etc/ipsec/ipsec.d/acerts/
directory and adds them to pluto's list of attribute certificates.

ipsec rereadcrls
reads all Certificate Revocation Lists (CRLs) contained in the
/etc/ipsec/ipsec.d/crls/ directory and adds them to pluto's list of CRLs.

ipsec rereadall
is equivalent to the execution of rereadsecrets,
rereadcacerts, rereadaacerts, rereadocspcerts,
rereadacerts, and rereadcrls.

ipsec --help
lists the available commands.
Most have their own manual pages, e.g.
ipsec_auto(8)
for
auto.

ipsec --version
outputs version information about Linux strongSwan.
A version code of the form ``Uxxx/Kyyy''
indicates that the user-level utilities are version xxx
but the kernel portion appears to be version yyy
(this form is used only if the two disagree).

ipsec --versioncode
outputs just the version code,
with none of
--version's
supporting information,
for use by scripts.